Hashes could be only half the security recipe

Libraries of hash values for software could help define the good and the bad

By Patience Wait

Mar 01, 2007

Imagine that you're cooking dinner but, as an April Fools' joke, someone has taken all the spices'and all the household chemicals'and jumbled them together. Some jars have no labels, others are mislabeled, and you can't tell one from the other without opening them and taking a taste, which could have disagreeable consequences.

That's one metaphor for computer security problems today. Computer systems are full of files'many that provide fundamental administrative functions, others that execute applications, still others generated by computer users. The file names and extensions indicate their roles, but they could have been corrupted, hacked into and altered by a virus, a worm, a Trojan. Or there could be 'invisible' files, hidden from systems administrators, such as keystroke loggers, that intend to carry out some malicious assignment.

The National Institute of Standards and Technology is now asking the IT industry for help in devising one form of protection from corrupted or malicious files: a new algorithm, or algorithms, to generate secure hash functions for files. In the Jan. 23 Federal Register, NIST announced it is soliciting comments on what the requirements and evaluation criteria should be for these new algorithms (GCN.com/740).

Do the math

But getting a secure algorithm that hackers can't manipulate is just one side of the equation. The other is having access to an up-to-date 'hash library,' a compilation of the hash values for known commercial software.

That, too, is more of a headache than one might think. Every time Microsoft releases a patch, every time Dell issues new drivers'in other words, every time any software is changed in any way, no matter how minor'it will generate a new hash value.

There are companies who compile these hash libraries, such as Bit9 Inc. of Cambridge, Mass., said Brian Karney, director of product management and marketing for Guidance Software Inc., a computer forensics software company in Pasadena, Calif.

'They get about a million hashes a week' submitted for their database, Karney said. 'They also have [hashes] for malicious files.'

To tap into the database, his company recently entered into a collaboration with Bit9, Karney said, to allow Guidance customers to be able to access the hash library on a real-time basis.

The partnership extends customers' 'ability to keep up with what's known or trusted or good,' Karney said. Computer investigative tools are great when something happens, but they also can be applied before something happens to identify the threat, he added.

'There's serious hand-to-hand combat right now' between hackers and security professionals, he said, 'and the antivirus vendors are losing. The only way to do this is to be able to define what is known good and known bad, [and] giving security analysts, information assurance analysts something on the state of the device.'

A hash is like a digital fingerprint; in theory, every file will have a unique number, and if a file is modified in any way at all, it will be reflected in that number. That makes it possible to look at an executable file, for instance, and see if it is intact or has been modified, by comparing its hash value to the predefined number it should have.

'In isolation, a hash is not of much value,' Karney said. 'If you actually have a large collection of binaries, such as operating system files ... you can use [an algorithm] to identify bad files.'